-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:06                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          sudo port may enable local privilege escalation

Category:       ports
Module:         sudo
Announced:      2002-01-16
Credits:        Sebastian Krahmer <krahmer@suse.de>
Affects:        Ports collection prior to the correction date
Corrected:      2002-01-15 02:56:33 UTC
FreeBSD only:   NO

I.   Background

Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity.

II.  Problem Description

The sudo port, versions prior to sudo-1.6.4.1, contains a
vulnerability that may allow a local user to obtain superuser
privileges.

If a user who has not been authorized by the system administrator
(listed in the `sudoers' file) attempts to use sudo, sudo will send an
email alert.  When it does so, it invokes the system mailer with
superuser privileges, and with most of the user's environment intact.

The sudo port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

If the system mailer's behavior can be influenced by the settings of
environmental variables, then an attacker may obtain superuser
privileges.  There is at least one mailer (postfix) that can be
influenced in this fashion.

IV.  Workaround

1) Deinstall the sudo port/package if you have it installed.

V.   Solution

1) Upgrade your entire ports collection and rebuild the port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

NOTE: It may be several days before updated packages are available.

3) Download a new port skeleton for the sudo port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

Path                                                             Revision
- -------------------------------------------------------------------------
ports/security/sudo/Makefile                                         1.43
ports/security/sudo/distinfo                                         1.26
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPEYIq1UuHi5z0oilAQEgTAP/YXD+lSngGwbloUn09xvwgn8i5uGaEX5O
Rj1v7XM3HRT/Gmr1CJiK7LtMbj/iilHzC2YiTAUHyxYzdEU7k9SnLgxK6rcSYNql
5wkYL1asHQhFPYejEqQVPKejrr4L/+/bYmQbkLKc9EMdErnhYoNrw6QbN+XvmO6p
oAzSK07ixi4=
=rmb8
-----END PGP SIGNATURE-----
